I do have a rule for blocking TCP, forgot to mention that. You can see from my tcpdump output above that the inbound packet is UDP though. I wonder why iptables doesn't block it even with this rule?
The really strange part about this is, if I remove the ACCEPT rules that are further down in my iptables config, NO dns traffic gets through at all, due to the final REJECT rule:
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW ... ... REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
So iptables does seem to be able to properly recognize udp port 53 traffic, it's just not filtering correctly against the source IP address.